Skip to main content

Meetup Website Has Patched Vulnerability Open To Hackers

By August 12, 2020May 5th, 2022Cybersecurity

Recently, security researchers at Checkmarx discovered a pair of serious vulnerabilities in the popular online meeting website Meetup.

According to the researchers, a hacker could combine cross-site scripting (XSS) with cross-site request forgeries (CSRF) to gain admin privileges on the site.

This would allow them to do anything from changing the details of any user’s events, outright cancelling them, exfiltrating user information, and/or redirecting PayPal payments.

The research team discovered that by making use of these two vulnerabilities, it was possible to inject malicious scripts into posts made in the discussions section of the Meetup site. That is a feature enabled by default on every event inside the framework of the system.

Erez Yalon, the Director of Security Research at Checkmarx had this to say about his team’s discovery:

“When you have these two vulnerabilities, it’s basically the Holy Grail for a hacker. Because what it means is if an organizer page runs the script in the browser, we can actually use their role of administrator to do whatever we want.”

For their part, when Meetup was informed of the pair of vulnerabilities by Checkmarx, they responded quickly and patched the system. As of this moment, neither of the exploits remain functional and there is no evidence that hackers ever made use of them, which definitely counts as a bullet dodged.

Ultimately, the vulnerability was enabled by the fact that it’s possible to add scripts to the discussions page. That is something that could have been prevented if an allow list had been used that specifies exactly what script commands can be used on the page.

Unfortunately, the company used a deny list in this case. A deny list isn’t nearly as effective as a filtering mechanism, because hackers can almost always come up with things a site owner would never consider. They’re always finding ways around any deny list.

In any case, the issue is now resolved, and if you’re a Meetup user, there’s nothing you need to do. Continue making use of the site as you have been.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.